General

  • Target

    607e933de863079ad4951af3f23bcfd0_NeikiAnalytics.exe

  • Size

    120KB

  • Sample

    240523-ambzmsef52

  • MD5

    607e933de863079ad4951af3f23bcfd0

  • SHA1

    6f36e33c472f58cfb65f0385e13bb25c9ad32219

  • SHA256

    493a3d28030bc5b394d23d1b2b19bbeb0888f9c814b548e4285acb12c778bd0e

  • SHA512

    50265b1ff0d0647df4b77831d3e853025ee5bbd043f536749c489eba8f4686803e395acbd6d0fd765b57c849a41e0c0d5f11f08d29083e0948030a0f093b0a90

  • SSDEEP

    3072:/9RrsfT5yvRJ3IJh+frQUq3BxGmTiuK23:/9RrsfT5ypAh+Up3xiux3

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets

    • Target

      607e933de863079ad4951af3f23bcfd0_NeikiAnalytics.exe

    • Size

      120KB

    • MD5

      607e933de863079ad4951af3f23bcfd0

    • SHA1

      6f36e33c472f58cfb65f0385e13bb25c9ad32219

    • SHA256

      493a3d28030bc5b394d23d1b2b19bbeb0888f9c814b548e4285acb12c778bd0e

    • SHA512

      50265b1ff0d0647df4b77831d3e853025ee5bbd043f536749c489eba8f4686803e395acbd6d0fd765b57c849a41e0c0d5f11f08d29083e0948030a0f093b0a90

    • SSDEEP

      3072:/9RrsfT5yvRJ3IJh+frQUq3BxGmTiuK23:/9RrsfT5ypAh+Up3xiux3

    • Modifies firewall policy service

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • UAC bypass

    • Windows security bypass

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Modify Registry

5
T1112

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Tasks